Govt’s Covid-19 app sparks furore over security flaws

37

The government’s Covid-19 Gov PK mobile application came under criticism for security flaws on Tuesday by a French security researcher.

Baptiste Robert, a French security researcher who specialises in smartphone apps that abuse user data, reported several privacy gaffes in the application developed by the National IT Board (NITB).

The Android app requests users to allow it to access their mobile location data to show Covid-19 patient within a radius of 30 to 300 metres. It also allows patients to mark their location on the app to help others identify if there is a positive case in their locality.

‘Worst security practice’

In a series of tweets, Robert — who tweets under the pseudonym Elliot Alderson — said the “radius alert” app was being managed without proper security bearings using hardcoded passwords.

Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords in the source code.

“To display the pins on the map, the app is downloading the exact longitude and latitude of sick people,” he said, adding that the security flaw meant any hacker could find the locations of the identified patients in Pakistan.

He further tweeted that requests being sent to the server on the app were insecure (requests made with http). As a result, any potential attacker would be able to access any username and password being used to access the server.

“By keeping hardcoded credentials, use http or disclose personal data of infected people, the “COVID-19 Gov PK” mobile app is a compilation of the worst security practices in mobile development,” Mr Robert told Dawn.

To date, over 500,000 people have downloaded the app.

Govt rejects claims

Responding to the allegations, NITB CEO Shabahat Ali Shah in a statement on Twitter said: “The app does not show the exact coordinates of the infected people, instead it shows a radius parameter that is fixed by def­ault at 10m for self-declared pati­e­nts and 300m at a quarantine location.”

The self-declared patients have given their consent to reveal their coordinates for the safety of other citizens, he added. “Moreover, they have accepted our app privacy policy/terms and conditions.”

The app’s brief privacy policy reads that the app “helps in gathering requisite information to identify an infected individual for the provision of necessary health services and related guidance, adhering to social, moral, ethical values, and privacy”.

Referring to Robert’s screenshot showing use of hardcoded password, he said the hardcoded password was the defined “keyword” to give more security to auth-token endpoint so that it could be only used from mobile apps. “All our APIs communicate using HTTPS. Hence, security and protection of data and users as per international standards is of prime importance and implemented at the core,” he concluded.

The NITB CEO said there was always room for improvement and any critical analysis would be appreciated. He said the NITB was preparing a security audit report of the app.

Experts unconvinced

An independent mobile app security test on web security website ImmuniWeb revealed that the app contained potentially sensitive hardcoded data. The app also uses an unencrypted database that can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The app should not store sensitive information in clear text.

“Whereas the intent behind the app is noble — to help save lives of people affected by Covid-19 and also those at risk — testing of the app shows that it’s security and privacy protocols are not up to the mark,” Bolo Bhi director Usama Khilji told Dawn after scanning the app.

“The server appears to use a username and password for authentication [for access], and these values are hardcoded in all copies of the Android application. This makes it easy for anyone to inspect these values in the application,” said Amin Shah Gilani, former interim chief technology officer of Patari.

The Digital Rights Foundation has demanded that the government disclose its data sharing policy in detail.

Published in Dawn, June 11th, 2020